/* goodG2B() - use GoodSource and BadSink */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* FIX: Use a hardcoded string */ data = "foo"; CWE113_HTTP_Response_Splitting__URLConnection_addHeaderServlet_81_base baseObject = new CWE113_HTTP_Response_Splitting__URLConnection_addHeaderServlet_81_goodG2B(); baseObject.action(data, request, response); }
/* goodB2G() - use BadSource and GoodSink */ private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; data = ""; /* Initialize data */ /* read input from URLConnection */ { URLConnection urlConnection = (new URL("http://www.example.org/")).openConnection(); BufferedReader readerBuffered = null; InputStreamReader readerInputStream = null; try { readerInputStream = new InputStreamReader(urlConnection.getInputStream(), "UTF-8"); readerBuffered = new BufferedReader(readerInputStream); /* POTENTIAL FLAW: Read data from a web server with URLConnection */ /* This will be reading the first "line" of the response body, * which could be very long if there are no newlines in the HTML */ data = readerBuffered.readLine(); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* clean up stream reading objects */ try { if (readerBuffered != null) { readerBuffered.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStream != null) { readerInputStream.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } } } CWE113_HTTP_Response_Splitting__URLConnection_addHeaderServlet_81_base baseObject = new CWE113_HTTP_Response_Splitting__URLConnection_addHeaderServlet_81_goodB2G(); baseObject.action(data, request, response); }